Octobre 4, 2023

Knox HDM: High-Assurance Control of Peripheral Devices

Hayawardh Vijayakumar, Security Engineer
 Image supérieure

Privacy and data security are core concerns when using mobile devices in enterprise settings. However, privacy and security on mobile devices face unique and advanced threats. For example, a malicious insider or stealthy spyware could use the camera, mic, and GPS in the background to spy on meetings or to photograph sensitive data in controlled physical environments, and exfiltrate data through the cellular modem.

One underlying enabler for these threats is that mobile phones are extremely versatile devices that interact with their environment in multiple ways using peripheral devices1, such as modems, Wi-Fi, Bluetooth, cameras, microphones, GPS, NFC, and USB. However, these same peripherals also expose a wide attack surface that attackers can abuse for malicious purposes to compromise privacy and security. Such concerns have unfortunately resulted in mobile phones being disallowed in classified and secure locations, especially in government, as well as security concerns around their use by journalists and leaders who are potential targets of surveillance.

 

Advanced malware exploits the peripheral device attack surface

To further understand the peripheral attack surface, let us look at how advanced threats typically work (Figure 1). First, attackers infiltrate devices to execute malware code on the victim’s device. Infiltration can happen through peripherals such as USB (e.g., connecting to a malicious charger). Second, malware exploits vulnerabilities in the Android framework and the OS kernel to gain privilege and to bypass policy controls installed by an enterprise mobile device management (MDM). Third, malware collects and exfiltrates data using peripherals. For example, the device’s cameras and microphones can be hijacked to look in on and listen to a targeted individual’s environment, while the wireless radios can be leveraged for data exfiltration.

Figure 1: How advanced malware works. Specifically, advanced malware escalates its privileges using OS or Android framework vulnerabilities, and is able to stealthily access peripherals such as the camera and mic in the background.

 

Advanced malware bypasses OS-level peripheral device controls

These threats are addressed by effectively disabling peripherals, such as the camera, mic, USB, and modem. Most OSes, including Android, can disable application access to peripherals through settings and enterprise MDM APIs. However, as it stands today, advanced malware or a threat actor who has compromised the OS and escalated privilege has full control over the device’s hardware components, overriding the user’s selections within OS controls or the organization’s peripheral policies enforced via MDM. For example, the Pegasus spyware used a rooting exploit to escalate privileges to the OS, and bypassed Android’s access controls to surveil live audio and capture camera images stealthily. As another example, researchers demonstrated how an Android permissions bypass vulnerability allowed an app access to camera, microphone, and GPS data without having permissions to do so.

 

HDM: High Assurance Peripheral Device Controls

HDM is a Samsung-exclusive security layer that provides high assurance peripheral device controls to an enterprise even if the OS is compromised and across factory resets. HDM leverages ARM hardware virtualization to interpose on peripheral access, and allows or denies access according to enterprise policy (Figure 2). This policy specifies whether specific peripherals should be enabled or disabled, and also whether to trigger automatic physical lockout of peripherals upon detection of device rooting or compromise (Figure 3). HDM can control access to physical sensors (cameras and microphones), communication chips (cellular modem, Wi-Fi, Bluetooth and NFC) and other peripherals (USB, speaker and GPS) based on enterprise policy.

Figure 2: HDM mediates all accesses to peripherals even if an attacker bypasses Android OS access controls. HDM enforces access based on an enterprise policy stored in tamper-resistant secure storage that persists even across factory resets.

Figure 2: HDM mediates all accesses to peripherals even if an attacker bypasses Android OS access controls. HDM enforces access based on an enterprise policy stored in tamper-resistant secure storage that persists even across factory resets.

Figure 3: An enterprise policy specifies whether HDM should disable specific peripheral devices, and whether to trigger lockout of peripherals upon detecting device compromise.

HDM achieves strong guarantees using a unique combination of techniques:

  • HDM controls are enabled before any potentially untrusted code can run. HDM starts before the OS as part of Knox’s hardware-rooted trusted boot process, which is the chain of trust that begins when the phone is powered on and ensures that each component is cryptographically validated before being loaded.
  • HDM offers complete protection even in the face of OS compromise. HDM runs at a higher privilege than the OS by leveraging ARM’s hardware virtualization extensions, and therefore mediates and controls all accesses to peripherals even if the Android framework and OS is completely compromised by malware.
  • HDM policy is tamper-resistant and persistent across factory resets. HDM stores its enterprise policy in device secure storage that is protected from tampering and preserved even across factory resets and flashing. Even if the secure storage itself is broken by hardware attacks, HDM can apply a default protection policy.
  • HDM policy updates are cryptographically protected. HDM uses cryptographic signatures and mutual authentication for policy updates. A trusted HDM server generates and signs the enterprise policy, which is verified by HDM on-device. In turn, HDM uses its own unique, hardware-backed key to prove its identity to the server.

 

HDM Scenarios

HDM enables several use-cases in a flexible and secure manner.

Scenario 1: Fixed hardware peripheral customization

To avoid being detected or have their position compromised during military operations, operatives often require guaranteed disablement of certain radio services such as GPS, microphone, and Wi-Fi services. Using HDM to disable these subsystems on the device before troop/device deployment provides high assurance that these services cannot be activated in the field.

Scenario 2: Dynamic context-based peripheral access

To maintain integrity and protect sensitive information or intellectual property theft, organizations restrict the usage of mobile devices in secure campuses or locations. HDM can be used to disable camera/microphone subsystems on the mobile device before entering these areas. Disabling of the hardware could happen automatically using external triggers or by tapping the device at an entry gate.

As another example, when a need arises to discuss confidential matters, mobile device users need to be able to quickly and securely restrict access to microphones and camera hardware. An on-device based HDM service can be used to enable or disable the hardware subsystems ensuring the utmost secrecy is maintained. This can be thought of as a flexible privacy sticker and supports multiple peripherals where a sticker cannot be used.

Scenario 3: Zero Trust and damage containment

A core principle of Zero Trust is “assume breach”, where enterprises have to anticipate that attackers can successfully compromise a system, and take measures to contain the breach. To meet these ambitious goals for realizing Zero Trust, enterprises require new endpoint capabilities for limiting damage and data loss in the event that a device compromise is detected. HDM enables robust disabling of peripherals such as Wi-Fi and cellular modem to prevent enterprise data exfiltration once a compromise is detected.

 

Conclusion

Peripheral devices, such as the camera, microphone, and cellular modem, are increasingly abused by malicious actors to compromise devices, to spy, and to exfiltrate data. Advanced malware exploits the operating system, thereby rendering OS-level controls ineffective. Knox HDM offers high assurance, secure, and flexible controls to gate access to peripheral devices, enabling secure achievement of a wide range of flexible use-cases such as context-based access and for zero trust.


1Peripheral devices are also simply called peripherals

[Icon] fermer

Lancez-vous avec Samsung Knox

[Icon] valise
Êtes-vous un revendeur, un fournisseur de solutions ou un fournisseur de services ?

Devenez un partenaire Knox et développez votre entreprise aujourd'hui.

[Icon] infos

Pour commencer, sélectionnez un produit Knox :

Pack tout-en-un
Knox Suite
Rebranding et personnalisation
Knox Configure
Protection contre la fraude et le vol
Knox Guard
Programme de protection des appareils
Samsung Care+ for Business
Autres produits et services

Démarrez avec

[Image] Knox Suite

Pack de solutions tout-en-un pour la mobilité des entreprises.

  • Obtenez un essai gratuit de 90 jours pour jusqu'à 30 appareils.
  • Un ensemble complet d'outils pour sécuriser, déployer, gérer et analyser les appareils de votre entreprise.
  • Essayez des fonctionnalités puissantes réunies dans Knox Suite.

Knox Suite inclut:

Knox Mobile Enrollment Gratuite
Knox Manage
Knox E-FOTA
Knox Asset Intelligence
Knox Platform for Enterprise Gratuite
Assistance à distance Knox
Knox Capture
Knox Authentication Manager

Démarrez avec

[Image] Logo Knox Configure

Donnez une nouvelle image à vos appareils Samsung et personnalisez-les.

  • Obtenez un essai gratuit de 90 jours pour jusqu'à 30 appareils.
  • Configurez à distance tous vos appareils Samsung et personnalisez-les immédiatement pour répondre au mieux à vos besoins spécifiques
  • Configurez vos appareils pour un déploiement unique, ou mettez-les à jour autant que vous le souhaitez.

Démarrez avec

[Icon] Logo Knox Guard

Protection contre la fraude et le vol pour les appareils Samsung.

  • Obtenez un essai gratuit de 90 jours pour jusqu'à 30 appareils.
  • Réduisez les risques financiers et protégez vos actifs en contrôlant vos appareils Samsung à distance.
  • Testez toutes les fonctionnalités de Knox Guard, y compris le contrôle de carte SIM et le verrouillage des appareils.

Démarrez avec

[Image] Logo Samsung Care Plus For Business

Programmes de protection de vos appareils Samsung.

  • Limitez les interruptions des activités de l'entreprise avec des réparations et des remplacements rapides des appareils. Contactez l'équipe commerciale Samsung pour vous lancer.
  • Visualisez la couverture de tous vos appareils et demandez des informations, le tout via une plate-forme unique.
  • Vous avez acheté Samsung Care+ for Business ? Créez un compte et activez votre forfait sur la console Samsung Care+ for Business.

Autres produits et services

[Image] Logo autres

Des solutions modernes pour répondre à vos besoins uniques.

  • Bénéficiez d'une assistance technique efficace grâce à un gestionnaire de compte dédié avec Enterprise Tech Support.
  • Créez des appareils sur mesure pour votre entreprise grâce à Samsung Software Customization Services.
CONTACTER LE SERVICE COMMERCIAL